Merge commit 'jrollins/master'

26 files changed, 537 insertions, 386 deletions

diff --git a/etc/monkeysphere-authentication.conf b/etc/monkeysphere-authentication.conf
index ea40966..0a28c4d 100644
--- a/etc/monkeysphere-authentication.conf
+++ b/etc/monkeysphere-authentication.conf
@@ -28,4 +28,4 @@
 # by the home directory of the user, and '%u' will by replaced by the
 # username of the user.  Setting this variable to 'none' prevents the
 # inclusion of user controlled authorized_keys file.
-# RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
+#RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys"
diff --git a/etc/monkeysphere.conf b/etc/monkeysphere.conf
index 2f0b877..20df62b 100644
--- a/etc/monkeysphere.conf
+++ b/etc/monkeysphere.conf
@@ -14,7 +14,7 @@
 # MONKEYSPHERE_GNUPGHOME environment variable, then the value of the
 # GNUPGHOME environment variable will be used.  If GNUPGHOME is not
 # set either, then the default value is listed below.
-# GNUPGHOME=~/.gnupg
+#GNUPGHOME=~/.gnupg
 
 # GPG keyserver to search for keys.
 #KEYSERVER=pool.sks-keyservers.net
diff --git a/man/man8/monkeysphere-authentication.8 b/man/man8/monkeysphere-authentication.8
index 2b0091e..9b8baa9 100644
--- a/man/man8/monkeysphere-authentication.8
+++ b/man/man8/monkeysphere-authentication.8
@@ -24,8 +24,10 @@ authentication.
 \fBmonkeysphere-authentication\fP takes various subcommands.
 .TP
 .B setup
-Setup the server for Monkeysphere user authentication.  `s' may be
-used in place of `setup'.
+Setup the server for Monkeysphere user authentication.  This command
+is idempotent, which means it can be run multiple times to make sure
+the setup is correct, without adversely affecting existing setups.
+`s' may be used in place of `setup'.
 .TP
 .B update-users [ACCOUNT]...
 Rebuild the monkeysphere-controlled authorized_keys files.  For each
@@ -60,6 +62,17 @@ Instruct system to ignore user identity certifications made by KEYID.
 List key IDs trusted by the system to certify user identities.  `c'
 may be used in place of `list-id-certifiers'.
 .TP
+.B diagnostics
+Review the state of the server with respect to authentication.  `d'
+may be used in place of `diagnostics'.
+.TP
+.B gpg-cmd
+Execute a gpg command, as the monkeysphere user, on the monkeysphere
+authentication "sphere" keyring.  This takes a single argument
+(multiple gpg arguments need to be quoted).  Use this command with
+caution, as modifying the authentication sphere keyring can affect ssh
+user authentication.
+.TP
 .B help
 Output a brief usage summary.  `h' or `?' may be used in place of
 `help'.
@@ -67,22 +80,6 @@ Output a brief usage summary.  `h' or `?' may be used in place of
 .B version
 show version number
 
-.SH "EXPERT" SUBCOMMANDS
-
-Some commands are very unlikely to be needed by most administrators.
-These commands must prefaced by the word `expert'.
-.TP
-.B diagnostics
-Review the state of the server with respect to authentication.  `d'
-may be used in place of `diagnostics'.
-.TP
-.B gpg-cmd
-Execute a gpg command on the gnupg-authentication keyring as the
-monkeysphere user.  This takes a single command (multiple gpg
-arguments need to be quoted).  Use this command with caution, as
-modifying the gnupg-authentication keyring can affect ssh user
-authentication.
-
 .SH SETUP USER AUTHENTICATION
 
 If the server will handle user authentication through
diff --git a/man/man8/monkeysphere-host.8 b/man/man8/monkeysphere-host.8
index 78b6b4a..062f0aa 100644
--- a/man/man8/monkeysphere-host.8
+++ b/man/man8/monkeysphere-host.8
@@ -61,33 +61,13 @@ Revoke the host's OpenPGP key.  `r' may be used in place of
 Publish the host's OpenPGP key to the keyserver.  `p' may be used in
 place of `publish-key'.
 .TP
-.B help
-Output a brief usage summary.  `h' or `?' may be used in place of
-`help'.
-.TP
-.B version
-show version number
-
-.SH "EXPERT" SUBCOMMANDS
-
-Some commands are very unlikely to be needed by most administrators.
-These commands must prefaced by the word `expert'.
-.TP
-.B gen-key [HOSTNAME]
-Generate a OpenPGP key for the host.  If HOSTNAME is not specified,
-then the system fully-qualified domain name will be user.  An
-alternate key bit length can be specified with the `-l' or `--length'
-option (default 2048).  An expiration length can be specified with the
-`-e' or `--expire' option (prompt otherwise).  The expiration format
-is the same as that of \fBextend-key\fP, below.  `g' may be used in
-place of `gen-key'.
-.TP
-.B import-key
-FIXME:
-  import-key (i)                     import existing ssh key to gpg
-   --hostname (-h) NAME[:PORT]         hostname for key user ID
-   --keyfile (-f) FILE                 key file to import
-   --expire (-e) EXPIRE                date to expire
+.B import-key [NAME[:PORT]]
+Import a pem-encoded ssh secret host key, from stdin.  NAME[:PORT] is
+used to specify the hostname (and port) used in the user ID of the new
+OpenPGP key.  If NAME is not specified, then the system
+fully-qualified domain name will be used (ie. `hostname -f').  If PORT
+is not specified, the no port is added to the user ID, which means
+port 22 is assumed.  `i' may be used in place of `import-key'.
 .TP
 .B diagnostics
 Review the state of the monkeysphere server host key and report on
@@ -95,6 +75,13 @@ suggested changes.  Among other checks, this includes making sure
 there is a valid host key, that the key is published, that the sshd
 configuration points to the right place, etc.  `d' may be used in
 place of `diagnostics'.
+.TP
+.B help
+Output a brief usage summary.  `h' or `?' may be used in place of
+`help'.
+.TP
+.B version
+show version number
 
 .SH SETUP HOST AUTHENTICATION
 
@@ -104,11 +91,6 @@ publish the host key to the keyservers, run the following command:
 
 $ monkeysphere-host publish-key
 
-You must also modify the sshd_config on the server to tell sshd where
-the new server host key is located:
-
-HostKey /var/lib/monkeysphere/host/ssh_host_rsa_key
-
 In order for users logging into the system to be able to identify the
 host via the monkeysphere, at least one person (e.g. a server admin)
 will need to sign the host's key.  This is done using standard OpenPGP
diff --git a/packaging/debian/changelog b/packaging/debian/changelog
index 6b31e16..c825b64 100644
--- a/packaging/debian/changelog
+++ b/packaging/debian/changelog
@@ -7,6 +7,7 @@ monkeysphere (0.23~pre-1) UNRELEASED; urgency=low
     - replace monkeysphere-server with monkeysphere-{authentication,host}
     - fold monkeysphere-ssh-proxycommand into /usr/bin/monkeysphere
 
+  * new ability to import existing ssh key into monkeysphere
   * simplify adding a host to the monkeysphere, automate the process
     during debian installation
   * provide pem2openpgp for translating unencrypted PEM-encoded raw key
@@ -18,7 +19,7 @@ monkeysphere (0.23~pre-1) UNRELEASED; urgency=low
   * check that existing authentication keys are valid in gen_key
      function.
 
- -- Daniel Kahn Gillmor <dkg@pip.fifthhorseman.net>  Sat, 31 Jan 2009 17:32:58 -0500
+ -- Jameson Graef Rollins <jrollins@finestructure.net>  Thu, 12 Feb 2009 21:50:54 -0500
 
 monkeysphere (0.22-1) unstable; urgency=low
 
diff --git a/src/monkeysphere-authentication b/src/monkeysphere-authentication
index 6d2e72c..c349e6f 100755
--- a/src/monkeysphere-authentication
+++ b/src/monkeysphere-authentication
@@ -31,7 +31,7 @@ MADATADIR="${SYSDATADIR}/authentication"
 
 # temp directory to enable atomic moves of authorized_keys files
 MATMPDIR="${MADATADIR}/tmp"
-export MSTMPDIR
+export MATMPDIR
 
 # UTC date in ISO 8601 format if needed
 DATE=$(date -u '+%FT%T')
@@ -61,12 +61,10 @@ subcommands:
  remove-id-certifier (c-) KEYID      remove a certification key
  list-id-certifiers (c)              list certification keys
 
- expert <expert-subcommand>          run expert command
- expert help                         expert command help
-
  version (v)                         show version number
  help (h,?)                          this help
 
+See ${PGRM}(8) for more info.
 EOF
 }
 
@@ -75,17 +73,12 @@ gpg_core() {
     GNUPGHOME="$GNUPGHOME_CORE"
     export GNUPGHOME
 
-    # NOTE: we supress this warning because we need the monkeysphere
-    # user to be able to read the host pubring.  we realize this might
-    # be problematic, but it's the simplest solution, without too much
-    # loss of security.
     gpg "$@"
 }
 
 # function to interact with the gpg sphere keyring
-# FIXME: this function requires basically accepts only a single
-# argument because of problems with quote expansion.  this needs to be
-# fixed/improved.
+# FIXME: this function requires only a single argument because of
+# problems with quote expansion.  this needs to be fixed/improved.
 gpg_sphere() {
     GNUPGHOME="$GNUPGHOME_SPHERE"
     export GNUPGHOME
@@ -93,21 +86,42 @@ gpg_sphere() {
     su_monkeysphere_user "gpg $@"
 }
 
+# output to stdout the core fingerprint from the gpg core secret
+# keyring
+core_fingerprint() {
+    log debug "determining core key fingerprint..."
+    gpg_core --quiet --list-secret-key \
+	--with-colons --fixed-list-mode --with-fingerprint \
+	| grep ^fpr: | cut -d: -f10
+}
+
+# fail if authentication has not been setup
+check_no_setup() {
+    # FIXME: what is the right test to do here?
+    [ -d "$MADATADIR" ] \
+	|| failure "This host appears to have not yet been set up for Monkeysphere authentication.
+Please run 'monkeysphere-authentication setup' first."
+}
+
 # export signatures from core to sphere
 gpg_core_sphere_sig_transfer() {
+    log debug "exporting core local sigs to sphere..."
     gpg_core --export-options export-local-sigs --export | \
-	gpg_sphere --import-options import-local-sigs --import
+	gpg_sphere "--import-options import-local-sigs --import"
 }
 
 ########################################################################
 # MAIN
 ########################################################################
 
-# unset variables that should be defined only in config file
+# unset variables that should be defined only in config file of in
+# MONKEYSPHERE_ variables
+unset LOG_LEVEL
 unset KEYSERVER
 unset AUTHORIZED_USER_IDS
 unset RAW_AUTHORIZED_KEYS
 unset MONKEYSPHERE_USER
+unset PROMPT
 
 # load configuration file
 [ -e ${MONKEYSPHERE_AUTHENTICATION_CONFIG:="${SYSCONFIGDIR}/monkeysphere-authentication.conf"} ] && . "$MONKEYSPHERE_AUTHENTICATION_CONFIG"
@@ -119,6 +133,7 @@ KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
 AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
 RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
 MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
+PROMPT=${MONKEYSPHERE_PROMPT:=${PROMPT:="true"}}
 
 # other variables
 CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
@@ -131,8 +146,9 @@ CORE_KEYLENGTH=${MONKEYSPHERE_CORE_KEYLENGTH:="2048"}
 export DATE
 export MODE
 export LOG_LEVEL
-export MONKEYSPHERE_USER
 export KEYSERVER
+export MONKEYSPHERE_USER
+export PROMPT
 export CHECK_KEYSERVER
 export REQUIRED_USER_KEY_CAPABILITY
 export GNUPGHOME_CORE
@@ -152,54 +168,37 @@ case $COMMAND in
 	;;
 
     'update-users'|'update-user'|'u')
+	check_no_setup
 	source "${MASHAREDIR}/update_users"
 	update_users "$@"
 	;;
 
     'add-identity-certifier'|'add-id-certifier'|'add-certifier'|'c+')
+	check_no_setup
 	source "${MASHAREDIR}/add_certifier"
 	add_certifier "$@"
 	;;
 
     'remove-identity-certifier'|'remove-id-certifier'|'remove-certifier'|'c-')
+	check_no_setup
 	source "${MASHAREDIR}/remove_certifier"
 	remove_certifier "$@"
 	;;
 
     'list-identity-certifiers'|'list-id-certifiers'|'list-certifiers'|'list-certifier'|'c')
+	check_no_setup
 	source "${MASHAREDIR}/list_certifiers"
 	list_certifiers "$@"
 	;;
 
-    'expert')
-	SUBCOMMAND="$1"
-	shift
-	case "$SUBCOMMAND" in
-	    'help'|'h'|'?')
-		cat <<EOF
-usage: $PGRM expert <subcommand> [options] [args]
-
-expert subcommands:
- diagnostics (d)                     monkeysphere authentication status
- gpg-cmd CMD                         execute gpg command
-
-EOF
-		;;
-
-	    'diagnostics'|'d')
-		source "${MASHAREDIR}/diagnostics"
-		diagnostics
-		;;
-
-	    'gpg-cmd')
-		gpg_sphere "$@"
-		;;
+    'diagnostics'|'d')
+	source "${MASHAREDIR}/diagnostics"
+	diagnostics
+	;;
 
-	    *)
-		failure "Unknown expert subcommand: '$COMMAND'
-Type '$PGRM help' for usage."
-		;;
-	esac
+    'gpg-cmd')
+	check_no_setup
+	gpg_sphere "$@"
 	;;
 
     'version'|'v')
diff --git a/src/monkeysphere-host b/src/monkeysphere-host
index be398b1..2dc6003 100755
--- a/src/monkeysphere-host
+++ b/src/monkeysphere-host
@@ -32,6 +32,13 @@ MHSHAREDIR="${SYSSHAREDIR}/mh"
 # datadir for host functions
 MHDATADIR="${SYSDATADIR}/host"
 
+# temp directory for temp gnupghome directories for add_revoker
+MHTMPDIR="${MHDATADIR}/tmp"
+export MHTMPDIR
+
+# host pub key files
+HOST_KEY_FILE="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
+
 # UTC date in ISO 8601 format if needed
 DATE=$(date -u '+%FT%T')
 
@@ -59,12 +66,12 @@ subcommands:
  revoke-key (r)                      revoke host key
  publish-key (p)                     publish host key to keyserver
 
- expert <expert-subcommand>          run expert command
- expert help                         expert command help
+ import-key (i) [NAME[:PORT]]        import existing ssh key to gpg
 
  version (v)                         show version number
  help (h,?)                          this help
 
+See ${PGRM}(8) for more info.
 EOF
 }
 
@@ -82,33 +89,58 @@ gpg_host_list() {
 }
 
 # command for edit key scripts, takes scripts on stdin
+# FIXME: should we supress all the edit script spew?  or pipe it
+# through log debug?
 gpg_host_edit() {
     gpg_host --quiet --command-fd 0 --edit-key \
 	"0x${HOST_FINGERPRINT}!" "$@"
 }
 
-# export the host key to stdout
-gpg_host_export() {
+# export the host public key to the monkeysphere gpg pub key file
+update_gpg_pub_file() {
+    log debug "updating openpgp public key file '$HOST_KEY_FILE'..."
     gpg_host --export --armor --export-options export-minimal \
-	"0x${HOST_FINGERPRINT}!"
+	"0x${HOST_FINGERPRINT}!" > "$HOST_KEY_FILE"
 }
 
-# export the host key to the monkeysphere host file key
-gpg_host_export_to_ssh_file() {
-    log debug "exporting openpgp public key..."
+# load the host fingerprint into the fingerprint variable, using the
+# export gpg pub key file
+# FIXME: this seems much less than ideal, with all this temp keyring
+# stuff.  is there a way we can do this without having to create temp
+# files?  what if we stored the fingerprint in MHDATADIR/fingerprint?
+load_fingerprint() {
+    if [ -f "$HOST_KEY_FILE" ] ; then
+	HOST_FINGERPRINT=$( \
+	    (FUBAR=$(mktemp -d) && export GNUPGHOME="$FUBAR" \
+	    && gpg --quiet --import \
+	    && gpg --quiet --list-keys --with-colons --with-fingerprint \
+	    && rm -rf "$FUBAR") <"$HOST_KEY_FILE" \
+	    | grep '^fpr:' | cut -d: -f10 )
+    else
+	HOST_FINGERPRINT=
+    fi
+}
 
-    gpg_host_export > "$HOST_KEY_PUB_GPG"
-    log info "SSH host public key in OpenPGP form: $HOST_KEY_PUB_GPG"
+# load the host fingerprint into the fingerprint variable, using the
+# gpg host secret key
+load_fingerprint_secret() {
+    HOST_FINGERPRINT=$( \
+	gpg_host --quiet --list-secret-key \
+	--with-colons --with-fingerprint \
+	| grep '^fpr:' | cut -d: -f10 )
 }
 
-# output just key fingerprint
-# FIXME: should not have to be priviledged user to get host
-# fingerprint.  should be taken from publicly accessible key files,
-# instead of the keyring.
-get_host_fingerprint() {
-    gpg_host --list-secret-keys --fingerprint \
-	--with-colons --fixed-list-mode 2> /dev/null | \
-	grep '^fpr:' | head -1 | cut -d: -f10 2>/dev/null || true
+# fail if host key present
+check_host_key() {
+    [ ! -s "$HOST_KEY_FILE" ] \
+	|| failure "An OpenPGP host key already exists."
+}
+
+# fail if host key not present
+check_host_no_key() {
+    [ -s "$HOST_KEY_FILE" ] \
+	|| failure "You don't appear to have a Monkeysphere host key on this server.
+Please run 'monkeysphere-host import-key' first."
 }
 
 # output the index of a user ID on the host key
@@ -135,41 +167,54 @@ find_host_userid() {
     fi
 }
 
-# function to check for host secret key
-check_host_fail() {
-    [ "$HOST_FINGERPRINT" ] || \
-	failure "You don't appear to have a Monkeysphere host key on this server.  Please run 'monkeysphere-host expert import-key' first."
-}
-
 # show info about the host key
 show_key() {
-    local fingerprintSSH
+    local GNUPGHOME
 
-    gpg_host --fingerprint --list-key --list-options show-unusable-uids \
-	"0x${HOST_FINGERPRINT}!" 2>/dev/null
-    # FIXME: make sure expiration date is shown
+    # tmp gpghome dir
+    export GNUPGHOME=$(mktemp -d)
 
-    echo "OpenPGP fingerprint: $HOST_FINGERPRINT"
+    # trap to remove tmp dir if break
+    trap "rm -rf $GNUPGHOME" EXIT
 
-    if [ -f "$HOST_KEY_PUB" ] ; then
-	fingerprintSSH=$(ssh-keygen -l -f "$HOST_KEY_PUB" | \
-	    awk '{ print $1, $2, $4 }')
+    # import the host key into the tmp dir
+    gpg --quiet --import <"$HOST_KEY_FILE"
 
-	echo "ssh fingerprint: $fingerprintSSH"
-    else
-	log error "SSH host key not found."
-    fi
+    HOST_FINGERPRINT=$(gpg --quiet --list-keys --with-colons --with-fingerprint \
+	| grep '^fpr:' | cut -d: -f10 )
+
+    # list the host key info
+    # FIXME: make no-show-keyring work so we don't have to do the grep'ing
+    # FIXME: can we show uid validity somehow?
+    gpg --list-keys --fingerprint \
+	--list-options show-unusable-uids 2>/dev/null \
+	| grep -v "^${GNUPGHOME}/pubring.gpg$" \
+	| egrep -v '^-+$'
+
+    # list the pgp fingerprint
+    echo "OpenPGP fingerprint: $HOST_FINGERPRINT"
+
+    # list the ssh fingerprint
+    echo -n "ssh fingerprint: "
+    ssh-keygen -l -f /dev/stdin \
+	<<<$(openpgp2ssh <"$HOST_KEY_FILE" 2>/dev/null) \
+	| awk '{ print $1, $2, $4 }'
 
-    # FIXME: other relevant key parameters?
+    # remove the tmp file
+    trap - EXIT
+    rm -rf "$GNUPGHOME"
 }
 
 ########################################################################
 # MAIN
 ########################################################################
 
-# unset variables that should be defined only in config file
+# unset variables that should be defined only in config file of in
+# MONKEYSPHERE_ variables
+unset LOG_LEVEL
 unset KEYSERVER
 unset MONKEYSPHERE_USER
+unset PROMPT
 
 # load configuration file
 [ -e ${MONKEYSPHERE_HOST_CONFIG:="${SYSCONFIGDIR}/monkeysphere-host.conf"} ] && . "$MONKEYSPHERE_HOST_CONFIG"
@@ -178,116 +223,88 @@ unset MONKEYSPHERE_USER
 # defaults
 LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
 KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
-AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
-RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
 MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}
+PROMPT=${MONKEYSPHERE_PROMPT:=${PROMPT:="true"}}
 
 # other variables
 CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:="true"}
 GNUPGHOME_HOST=${MONKEYSPHERE_GNUPGHOME_HOST:="${MHDATADIR}"}
 
-# host key fingerprint
-HOST_FINGERPRINT=$(get_host_fingerprint)
-
-# host pub key files
-HOST_KEY_PUB="${SYSDATADIR}/ssh_host_rsa_key.pub"
-HOST_KEY_PUB_GPG="${SYSDATADIR}/ssh_host_rsa_key.pub.gpg"
-
 # export variables needed in su invocation
 export DATE
 export MODE
 export LOG_LEVEL
-export MONKEYSPHERE_USER
 export KEYSERVER
+export MONKEYSPHERE_USER
+export PROMPT
+export CHECK_KEYSERVER
 export GNUPGHOME_HOST
 export GNUPGHOME
-export HOST_FINGERPRINT
+export HOST_FINGERPRINT=
 
 # get subcommand
 COMMAND="$1"
 [ "$COMMAND" ] || failure "Type '$PGRM help' for usage."
 shift
 
-
 case $COMMAND in
     'show-key'|'show'|'s')
-	check_host_fail
+	check_host_no_key
 	show_key
 	;;
 
     'set-expire'|'extend-key'|'e')
-	check_host_fail
+	check_host_no_key
+	load_fingerprint
 	source "${MHSHAREDIR}/set_expire"
 	set_expire "$@"
 	;;
 
     'add-hostname'|'add-name'|'n+')
-	check_host_fail
+	check_host_no_key
+	load_fingerprint
 	source "${MHSHAREDIR}/add_hostname"
 	add_hostname "$@"
 	;;
 
     'revoke-hostname'|'revoke-name'|'n-')
-	check_host_fail
+	check_host_no_key
+	load_fingerprint
 	source "${MHSHAREDIR}/revoke_hostname"
 	revoke_hostname "$@"
 	;;
 
     'add-revoker'|'o')
-	check_host_fail
+	check_host_no_key
+	load_fingerprint
 	source "${MHSHAREDIR}/add_revoker"
 	add_revoker "$@"
 	;;
 
     'revoke-key'|'r')
-	check_host_fail
+	check_host_no_key
+	load_fingerprint
 	source "${MHSHAREDIR}/revoke_key"
 	revoke_key "$@"
 	;;
 
     'publish-key'|'publish'|'p')
-	check_host_fail
+	check_host_no_key
+	load_fingerprint
 	source "${MHSHAREDIR}/publish_key"
 	publish_key
 	;;
 
-    'expert')
-	SUBCOMMAND="$1"
-	shift
-	case "$SUBCOMMAND" in
-	    'help'|'h'|'?')
-		cat <<EOF
-usage: $PGRM expert <subcommand> [options] [args]
-
-expert subcommands:
- import-key (i) [NAME[:PORT]]        import existing ssh key to gpg
- gen-key (g) [NAME[:PORT]]           generate gpg key for the host
-   --length (-l) BITS                  key length in bits (2048)
- diagnostics (d)                     monkeysphere host status
-
-EOF
-		;;
-
-	    'import-key'|'i')
-		source "${MHSHAREDIR}/import_key"
-		import_key "$@"
-		;;
-
-	    'gen-key'|'g')
-		source "${MHSHAREDIR}/gen_key"
-		gen_key "$@"
-		;;
-
-	    'diagnostics'|'d')
-		source "${MHSHAREDIR}/diagnostics"
-		diagnostics
-		;;
+    'import-key'|'i')
+	check_host_key
+	source "${MHSHAREDIR}/import_key"
+	import_key "$@"
+	;;
 
-	    *)
-		failure "Unknown expert subcommand: '$COMMAND'
-Type '$PGRM help' for usage."
-		;;
-	esac
+    'diagnostics'|'d')
+	load_fingerprint
+	source "${MHSHAREDIR}/diagnostics"
+	diagnostics
 	;;
 
     'version'|'v')
diff --git a/src/share/common b/src/share/common
index 2a20c1c..773c11f 100644
--- a/src/share/common
+++ b/src/share/common
@@ -92,15 +92,22 @@ log() {
 
 # run command as monkeysphere user
 su_monkeysphere_user() {
-    # if the current user is the monkeysphere user, then just eval
-    # command
-    if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
-	eval "$@"
+    case $(id -un) in
+	# if monkeysphere user, run the command under bash
+	"$MONKEYSPHERE_USER")
+	    bash -c "$@"
+	    ;;
 
-    # otherwise su command as monkeysphere user
-    else
-	su "$MONKEYSPHERE_USER" -c "$@"
-    fi
+         # if root, su command as monkeysphere user
+	'root')
+	    su "$MONKEYSPHERE_USER" -c "$@"
+	    ;;
+
+	# otherwise, fail
+	*)
+	    log error "non-privileged user."
+	    ;;
+    esac
 }
 
 # cut out all comments(#) and blank lines from standard input
@@ -136,6 +143,7 @@ lock() {
 	    else
 		lockfile -r 20 "${file}.lock" || failure "unable to lock '$file'"
 	    fi
+	    log debug "lock created on '$file'."
 	    ;;
 	touch)	
 	    if [ -n "$use_lockfileprogs" ] ; then
@@ -143,6 +151,7 @@ lock() {
 	    else
 		: Nothing to do here
 	    fi
+	    log debug "lock touched on '$file'."
 	    ;;
 	remove)
 	    if [ -n "$use_lockfileprogs" ] ; then
@@ -150,6 +159,7 @@ lock() {
 	    else
 		rm -f "${file}.lock"
 	    fi
+	    log debug "lock removed on '$file'."
 	    ;;
 	*)
 	    failure "bad argument for lock subfunction '$action'"
@@ -430,6 +440,8 @@ check_key_file_permissions() {
     uname="$1"
     path="$2"
 
+    log debug "checking path permission '$path'..."
+
     # return 255 if cannot stat file
     if ! stat=$(ls -ld "$path" 2>/dev/null) ; then
         log error "could not stat path '$path'."
@@ -1018,6 +1030,8 @@ update_authorized_keys() {
 
     # remove the lockfile and the trap
     lock remove "$AUTHORIZED_KEYS"
+
+    # remove the trap
     trap - EXIT
 
     # note if the authorized_keys file was updated
diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier
index e9731cc..54ea673 100644
--- a/src/share/ma/add_certifier
+++ b/src/share/ma/add_certifier
@@ -90,30 +90,37 @@ if [ -f "$keyID" ] ; then
     fi
 else
     # get the key from the key server
+    log debug "retrieving key from keyserver..."
     gpg_sphere "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" || failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver."
 fi
 
 export keyID
 
-# get the full fingerprint of a key ID
-fingerprint=$(gpg_sphere "--list-key --with-colons --with-fingerprint 0x${keyID}!" | \
-    grep '^fpr:' | grep "$keyID" | cut -d: -f10)
+# get the full fingerprint of new certifier key
+log debug "getting fingerprint of certifier key..."
+fingerprint=$(gpg_sphere "--list-key --with-colons --with-fingerprint 0x${keyID}!" \
+    | grep '^fpr:' | grep "$keyID" | cut -d: -f10)
 
 if [ -z "$fingerprint" ] ; then
     failure "Key '$keyID' not found."
 fi
 
-log info -e "\nkey found:"
+log info "key found:"
 gpg_sphere "--fingerprint 0x${fingerprint}!"
 
-echo "Are you sure you want to add the above key as a"
-read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N}
-if [ "${OK/y/Y}" != 'Y' ] ; then
-    failure "Identity certifier not added."
+if [ "$PROMPT" = "true" ] ; then
+    echo "Are you sure you want to add the above key as a"
+    read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N}
+    if [ "${OK/y/Y}" != 'Y' ] ; then
+	failure "Identity certifier not added."
+    fi
+else
+    log debug "adding key without prompting."
 fi
 
 # export the key to the core keyring so that the core can sign the
 # new certifier key
+log debug "exporting retrieved certifier key to core keyring..."
 gpg_sphere "--export 0x${fingerprint}!" | gpg_core --import
 
 case "$trust" in
@@ -142,6 +149,7 @@ EOF
     )
 
 # core ltsigns the newly imported certifier key
+log debug "executing core ltsign script..."
 if echo "$ltsignCommand" | \
     gpg_core --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then
 
@@ -149,9 +157,10 @@ if echo "$ltsignCommand" | \
     gpg_core_sphere_sig_transfer
 
     # update the sphere trustdb
+    log debug "updating sphere trustdb..."
     gpg_sphere "--check-trustdb"
 
-    log info -e "\nIdentity certifier added."
+    log info "Identity certifier added."
 else
     failure "Problem adding identify certifier."
 fi
diff --git a/src/share/ma/diagnostics b/src/share/ma/diagnostics
index 45a8ce2..0411080 100644
--- a/src/share/ma/diagnostics
+++ b/src/share/ma/diagnostics
@@ -120,7 +120,7 @@ fi
 
 if [ "$problemsfound" -gt 0 ]; then
     echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
-    echo "  monkeysphere-authentication expert diagnostics"
+    echo "  monkeysphere-authentication diagnostics"
 else
     echo "Everything seems to be in order!"
 fi
diff --git a/src/share/ma/list_certifiers b/src/share/ma/list_certifiers
index e37485e..5a0388e 100644
--- a/src/share/ma/list_certifiers
+++ b/src/share/ma/list_certifiers
@@ -17,14 +17,42 @@ list_certifiers() {
 
 local keys
 local key
+local authfpr
 
-# find trusted keys in authentication keychain
-keys=$(gpg_sphere "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-keys --with-colons --fingerprint" | \
-    grep ^pub: | cut -d: -f2,5 | egrep '^(u|f):' | cut -d: -f2)
+# find trusted keys in sphere keychain
+log debug "finding trusted keys..."
 
-# output keys
-for key in $keys ; do
-    gpg_sphere "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key --fingerprint $key"
+# FIXME: this assumes that the keygrip (16 hex chars) is unique; we're
+# only searching by keygrip at the moment.
+
+authgrip=$(core_fingerprint | cut -b 25-40)
+
+# We're walking the list of known signatures, and extracting all trust
+# signatures made by the core fingerprint and known to the sphere
+# keyring.
+
+# for each one of these, we're printing (colon-delimited): the
+# fingerprint, the trust depth, the trust level (60 == marginal, 120
+# == full), and the domain regex (if any):
+
+gpg_sphere "--fingerprint --with-colons --fixed-list-mode --check-sigs" | \
+    cut -f 1,2,5,8,9,10 -d: | \
+    egrep '^(fpr:::::|sig:!:'"$authgrip"':[[:digit:]]+ [[:digit:]]+:)' | \
+    while IFS=: read -r type validity grip trustparams trustdomain fpr ; do
+    case $type in
+	'fpr') # this is a new key
+	    keyfpr=$fpr
+	    ;;
+	'sig') # print all trust signatures, including regexes if present
+	    trustdepth=${trustparams%% *}
+	    trustlevel=${trustparams##* }
+
+	    # FIXME: this is clumsy and not human-friendly.  we should
+	    # print out more human-readable information, if possible.
+	    printf "%s:%d:%d:%s\n" "$keyfpr" "$trustdepth" "$trustlevel" "$trustdomain"
+	    ;;
+    esac
 done
 
+
 }
diff --git a/src/share/ma/remove_certifier b/src/share/ma/remove_certifier
index 1164162..8271ae0 100644
--- a/src/share/ma/remove_certifier
+++ b/src/share/ma/remove_certifier
@@ -23,13 +23,16 @@ if [ -z "$keyID" ] ; then
     failure "You must specify the key ID of a key to remove."
 fi
 
-if gpg_sphere "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key 0x${keyID}!" ; then
+# FIXME: should we be doing a fancier list_certifier output here?
+gpg_core --list-key --fingerprint "0x${keyID}!" || failure
+
+if [ "$PROMPT" = "true" ] ; then
     read -p "Really remove above listed identity certifier? (y/N) " OK; OK=${OK:-N}
     if [ "${OK/y/Y}" != 'Y' ] ; then
 	failure "Identity certifier not removed."
     fi
 else
-    failure
+    log debug "certifier removed without prompting."
 fi
 
 # delete the requested key from the sphere keyring
@@ -41,7 +44,8 @@ if gpg_sphere "--delete-key --batch --yes 0x${keyID}!" ; then
     # update the trustdb for the authentication keyring
     gpg_sphere "--check-trustdb"
 
-    log info -e "\nIdentity certifier removed."
+    log info ""
+    log info "Identity certifier removed."
 else
     failure "Problem removing identity certifier."
 fi
diff --git a/src/share/ma/setup b/src/share/ma/setup
index 034f047..f59187b 100644
--- a/src/share/ma/setup
+++ b/src/share/ma/setup
@@ -23,6 +23,7 @@ setup() {
 
     # deliberately replace the config files via truncation
     # FIXME: should we be dumping to tmp files and then moving atomically?
+    log debug "writing core gpg.conf..."
     cat >"${GNUPGHOME_CORE}"/gpg.conf <<EOF
 # Monkeysphere trust core GnuPG configuration
 # This file is maintained by the Monkeysphere software.
@@ -30,62 +31,78 @@ setup() {
 no-greeting
 list-options show-uid-validity
 EOF
-    
+
+    log debug "writing sphere gpg.conf..."
     cat >"${GNUPGHOME_SPHERE}"/gpg.conf <<EOF
 # Monkeysphere trust sphere GnuPG configuration
 # This file is maintained by the Monkeysphere software.
 # Edits will be overwritten.
 no-greeting
-primary-keyring ${GNUPGHOME_SPHERE}/pubring.gpg
 list-options show-uid-validity
 EOF
 
-    # make sure the monkeysphere user owns everything in th sphere
+    # make sure the monkeysphere user owns everything in the sphere
     # gnupghome
-    chown -R "$MONKEYPSHER_USER" "${GNUPGHOME_SPHERE}"
-    chgrp -R "$MONKEYPSHER_USER" "${GNUPGHOME_SPHERE}"
+    log debuf "fixing sphere gnupg home ownership..."
+    chown -R "$MONKEYSPHERE_USER" "${GNUPGHOME_SPHERE}"
+    chgrp -R "$MONKEYSPHERE_USER" "${GNUPGHOME_SPHERE}"
 
     # get fingerprint of core key.  this should be empty on unconfigured systems.
-    local CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
+    local CORE_FPR=$(core_fingerprint)
+    log debug "core fingerprint: $CORE_FPR"
 
     if [ -z "$CORE_FPR" ] ; then
-	log info "Setting up Monkeysphere authentication trust core..."
+	log info "setting up Monkeysphere authentication trust core..."
 
 	local CORE_UID=$(printf "Monkeysphere authentication trust core UID (random string: %s)" $(head -c21 </dev/urandom | base64))
     
 	log debug "generating monkeysphere authentication trust core key ($CORE_KEYLENGTH bits)..."
-	PEM2OPENPGP_USAGE_FLAGS=certify PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" | gpg_core --import || failure "Could not import new key for Monkeysphere authentication trust core"
+	PEM2OPENPGP_USAGE_FLAGS=certify \
+	    PEM2OPENPGP_NEWKEY=$CORE_KEYLENGTH pem2openpgp "$CORE_UID" \
+	    | gpg_core --import \
+	    || failure "Could not import new key for Monkeysphere authentication trust core"
 
 	# get fingerprint of core key.  should definitely not be empty at this point
-	log debug "get core key fingerprint..."
-	CORE_FPR=$(gpg_core --with-colons --fixed-list-mode --fingerprint --list-secret-key | grep ^fpr: | cut -f10 -d: )
+	CORE_FPR=$(core_fingerprint)
+	log debug "core fingerprint: $CORE_FPR"
 	if [ -z "$CORE_FPR" ] ; then
 	    failure "Failed to create Monkeysphere authentication trust core!"
 	fi
 	
     else 
-	log verbose "This system has already set up the Monkeysphere authentication trust core."
+	log verbose "Monkeysphere authentication trust core already exists."
     fi
 
+    # export the core key to the sphere keyring
+    log debug "exporting core pub key to sphere keyring..."
+    gpg_core --export | gpg_sphere --import
 
     # ensure that the authentication sphere checker has absolute ownertrust on the expected key.
-    log debug "set ultimate owner trust on core key in gpg_sphere..."
+    log debug "setting ultimate owner trust on core key in gpg_sphere..."
     printf "%s:6:\n" "$CORE_FPR" | gpg_sphere --import-ownertrust
+    gpg_sphere --export-ownertrust | log debug
+
+    # check the owner trust
+    log debug "checking gpg_sphere owner trust set properly..."
     local ORIG_TRUST
-    log debug "check gpg_sphere owner trust set properly..."
     if ORIG_TRUST=$(gpg_sphere --export-ownertrust | grep '^[^#]') ; then
 	if [ "${CORE_FPR}:6:" != "$ORIG_TRUST" ] ; then
 	    failure "Monkeysphere authentication trust sphere should explicitly trust the core.  It does not have proper ownertrust settings."
 	fi
     else
 	failure "Could not get monkeysphere-authentication trust guidelines."
+	# FIXME: what does this mean?  should we suggest how to fix?
     fi
 
     # ensure that we're using the extended trust model (1), and that
     # our preferences are reasonable (i.e. 3 marginal OR 1 fully
     # trusted certifications are sufficient to grant full validity.
-    log debug "check trust level of core key..."
-    if [ "1:3:1" != $(gpg_sphere --with-colons --fixed-list-mode --list-keys | head -n1 | grep ^tru: cut -f3,6,7 -d:) ] ; then
+    log debug "checking trust model for authentication ..."
+    local TRUST_MODEL=$(gpg_sphere "--with-colons --fixed-list-mode --list-keys" \
+	| head -n1 | grep "^tru:" | cut -d: -f3,6,7)
+    log debug "sphere trust model: $TRUST_MODEL"
+    if [ "$TRUST_MODEL" != '1:3:1' ] ; then
 	failure "monkeysphere-authentication does not have the expected trust model settings."
+	# FIXME: what does this mean?  should we suggest how to fix?
     fi
 }
diff --git a/src/share/mh/add_hostname b/src/share/mh/add_hostname
index 46326bb..70bbec3 100644
--- a/src/share/mh/add_hostname
+++ b/src/share/mh/add_hostname
@@ -31,11 +31,15 @@ userID="ssh://${1}"
 find_host_userid > /dev/null && \
     failure "Host userID '$userID' already exists."
 
-echo "The following user ID will be added to the host key:"
-echo "  $userID"
-read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N}
-if [ ${OK/y/Y} != 'Y' ] ; then
-    failure "User ID not added."
+if [ "$PROMPT" = "true" ] ; then
+    echo "The following user ID will be added to the host key:"
+    echo "  $userID"
+    read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N}
+    if [ ${OK/y/Y} != 'Y' ] ; then
+	failure "User ID not added."
+    fi
+else
+    log debug "adding user ID without prompting."
 fi
 
 # edit-key script command to add user ID
@@ -51,6 +55,8 @@ EOF
 # execute edit-key script
 if echo "$adduidCommand" | gpg_host_edit ; then
 
+    update_gpg_pub_file
+
     show_key
 
     echo
diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker
index 39dfaca..b4113df 100644
--- a/src/share/mh/add_revoker
+++ b/src/share/mh/add_revoker
@@ -53,7 +53,7 @@ if [ -f "$keyID" ] ; then
     fi
 else
     # create a temporary directory for storing the downloaded key
-    TMPLOC=$(mktemp -d ${MHTMPDIR}/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
+    TMPLOC=$(mktemp -d "${MHTMPDIR}"/tmp.XXXXXXXXXX) || failure "Could not create temporary directory!"
 
     # download the key from the keyserver as the monkeysphere user
     su_monkeysphere_user \
@@ -74,17 +74,20 @@ if [ -z "$fingerprint" ] ; then
     failure "Key '$keyID' not found."
 fi
 
-log info -e "\nkey found:"
+log info "key found:"
 gpg_host --fingerprint "0x${fingerprint}!"
 
-echo "Are you sure you want to add the above key as a"
-read -p "revoker of the host key? (y/N) " OK; OK=${OK:-N}
-if [ "${OK/y/Y}" != 'Y' ] ; then
-    failure "Revoker not added."
+if [ "$PROMPT" = "true" ] ; then
+    echo "Are you sure you want to add the above key as a"
+    read -p "revoker of the host key? (y/N) " OK; OK=${OK:-N}
+    if [ "${OK/y/Y}" != 'Y' ] ; then
+	failure "revoker not added."
+    fi
+else
+    log debug "adding revoker without prompting."
 fi
 
 # edit-key script to add revoker
-# NOTE: *all* user IDs will be ltsigned
 addrevokerCommand=$(cat <<EOF
 addrevoker
 
@@ -98,7 +101,9 @@ failure "not implemented yet!"
 if echo "$addrevokerCommand" | \
     gpg_core_edit ; then
 
-    log info -e "\nRevoker added."
+    update_gpg_pub_file
+
+    log info "Revoker added."
 else
     failure "Problem adding revoker."
 fi
diff --git a/src/share/mh/diagnostics b/src/share/mh/diagnostics
index 96065e6..d774723 100644
--- a/src/share/mh/diagnostics
+++ b/src/share/mh/diagnostics
@@ -152,7 +152,7 @@ fi
 
 if [ "$problemsfound" -gt 0 ]; then
     echo "When the above $problemsfound issue"$(if [ "$problemsfound" -eq 1 ] ; then echo " is" ; else echo "s are" ; fi)" resolved, please re-run:"
-    echo "  monkeysphere-host expert diagnostics"
+    echo "  monkeysphere-host diagnostics"
 else
     echo "Everything seems to be in order!"
 fi
diff --git a/src/share/mh/gen_key b/src/share/mh/gen_key
deleted file mode 100644
index 7b427e4..0000000
--- a/src/share/mh/gen_key
+++ /dev/null
@@ -1,87 +0,0 @@
-# -*-shell-script-*-
-# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant)
-
-# Monkeysphere host gen-key subcommand
-#
-# The monkeysphere scripts are written by:
-# Jameson Rollins <jrollins@finestructure.net>
-# Jamie McClelland <jm@mayfirst.org>
-# Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-#
-# They are Copyright 2008-2009, and are all released under the GPL,
-# version 3 or later.
-
-gen_key() {
-
-local hostName=$(hostname -f)
-local keyType="RSA"
-local keyLength="2048"
-local keyUsage="auth"
-local keyExpire="0"
-local userID
-
-# check for presense of a key
-[ "$HOST_FINGERPRINT" ] && \
-    failure "An OpenPGP host key already exists."
-
-# get options
-while true ; do
-	case "$1" in
-	    -l|--length)
-		keyLength="$2"
-		shift 2
-		;;
-	    *)
-		if [ "$(echo "$1" | cut -c 1)" = '-' ] ; then
-		    failure "Unknown option '$1'.
-Type '$PGRM help' for usage."
-		fi
-		break
-		;;
-	esac
-done
-
-hostName="$1"
-userID="ssh://${hostName}"
-
-# create host home
-mkdir -p "$GNUPGHOME_HOST"
-chmod 700 "$GNUPGHOME_HOST"
-
-log debug "generating host key..."
-gpg_host --batch --gen-key <<EOF
-Key-Type: $keyType
-Key-Length: $keyLength
-Key-Usage: $keyUsage
-Name-Real: $userID
-Expire-Date: $keyExpire
-
-%commit
-%echo done
-
-EOF
-
-# find the key fingerprint of the newly converted key
-HOST_FINGERPRINT=$(get_host_fingerprint)
-export HOST_FINGERPRINT
-
-# translate the private key to ssh format, and export to a file
-# for sshs usage.
-# NOTE: assumes that the primary key is the proper key to use
-log debug "exporting ssh secret key..."
-(umask 077 && \
-	gpg_host --export-secret-key "$HOST_FINGERPRINT" | \
-	openpgp2ssh "$HOST_FINGERPRINT" > "${MHDATADIR}/ssh_host_rsa_key")
-log info "SSH host private key output to file: ${MHDATADIR}/ssh_host_rsa_key"
-
-log debug "creating ssh public key..."
-ssh-keygen -y -f "${MHDATADIR}/ssh_host_rsa_key" > "$HOST_KEY_PUB"
-log info "SSH host public key output to file: $HOST_KEY_PUB"
-
-# export public key to file
-gpg_host_export_to_ssh_file
-
-# show info about new key
-show_key
-
-}
diff --git a/src/share/mh/import_key b/src/share/mh/import_key
index 99511a8..d14fc13 100644
--- a/src/share/mh/import_key
+++ b/src/share/mh/import_key
@@ -14,31 +14,48 @@
 import_key() {
 
 local hostName
+local domain
 local userID
 
-# check for presense of a key
-[ "$HOST_FINGERPRINT" ] && \
-    failure "An OpenPGP host key already exists."
-
-hostName=${1:-$(hostname -f)}
+hostName="$1"
+
+# use the default hostname if not specified
+if [ -z "$hostName" ] ; then
+    hostName=$(hostname -f)
+    # test that the domain is not obviously illegitimate
+    domain=${foo##*.}
+    case $domain in
+	'local'|'localdomain')
+	    failure "Host domain '$domain' is not legitimate.  Aborting key import."
+	    ;;
+    esac
+    # test that there are at least two parts
+    if (( $(echo "$hostName" | tr . ' ' | wc -w) < 2 )) ; then
+	failure "Host name '$hostName' is not legitimate.  Aborting key import."
+    fi
+fi
 
 userID="ssh://${hostName}"
 
 # create host home
-mkdir -p "$GNUPGHOME_HOST"
-chmod 700 "$GNUPGHOME_HOST"
+mkdir -p "${MHDATADIR}"
+mkdir -p "${MHTMPDIR}"
+mkdir -p "${GNUPGHOME_HOST}"
+chmod 700 "${GNUPGHOME_HOST}"
 
 log verbose "importing ssh key..."
 # translate ssh key to a private key
-PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" | \
-    gpg_host --import
+PEM2OPENPGP_USAGE_FLAGS=authenticate pem2openpgp "$userID" \
+    | gpg_host --import
 
-# find the key fingerprint of the newly converted key
-HOST_FINGERPRINT=$(get_host_fingerprint)
-export HOST_FINGERPRINT
+# load the new host fpr into the fpr variable.  this is so we can
+# create the gpg pub key file.  we have to do this from the secret key
+# ring since we obviously don't have the gpg pub key file yet, since
+# that's what we're trying to produce (see below).
+load_fingerprint_secret
 
-# export public key to file
-gpg_host_export_to_ssh_file
+# export to gpg public key to file
+update_gpg_pub_file
 
 # show info about new key
 show_key
diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key
index 988b450..b433ad7 100644
--- a/src/share/mh/publish_key
+++ b/src/share/mh/publish_key
@@ -15,17 +15,33 @@
 
 publish_key() {
 
-read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
-if [ ${OK/y/Y} != 'Y' ] ; then
-    failure "key not published."
+local GNUPGHOME
+
+if [ "$PROMPT" = "true" ] ; then
+    read -p "Really publish host key to $KEYSERVER? (y/N) " OK; OK=${OK:=N}
+    if [ ${OK/y/Y} != 'Y' ] ; then
+	failure "key not published."
+    fi
+else
+    log debug "publishing key without prompting."
 fi
 
-# find the key fingerprint
-fingerprint=$(fingerprint_host_key)
+# create a temporary gnupg directory from which to publish the key
+export GNUPGHOME=$(mktemp -d)
+
+# trap to remove tmp dir if break
+trap "rm -rf $GNUPGHOME" EXIT
+
+# import the host key into the tmp dir
+su_monkeysphere_user \
+    "gpg --quiet --import" <"$HOST_KEY_FILE"
 
 # publish host key
-# FIXME: need to define how to do this
-#gpg_authentication "--keyserver $KEYSERVER --send-keys '0x${fingerprint}!'"
-echo "not published!!!"
+su_monkeysphere_user \
+    "gpg --keyserver $KEYSERVER --send-keys '0x${HOST_FINGERPRINT}!'"
+
+# remove the tmp file
+trap - EXIT
+rm -rf "$GNUPGHOME"
 
 }
diff --git a/src/share/mh/revoke_hostname b/src/share/mh/revoke_hostname
index 940b5f4..77f1f0d 100644
--- a/src/share/mh/revoke_hostname
+++ b/src/share/mh/revoke_hostname
@@ -30,7 +30,7 @@ fi
 echo "WARNING: There is a known bug in this function."
 echo "This function has been known to occasionally revoke the wrong user ID."
 echo "Please see the following bug report for more information:"
-echo "http://web.monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/"
+echo "https://labs.riseup.net/code/issues/show/422"
 read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N}
 if [ ${OK/y/Y} != 'Y' ] ; then
     failure "aborting."
@@ -42,11 +42,15 @@ userID="ssh://${1}"
 uidIndex=$(find_host_userid) || \
     failure "No non-revoked user ID found matching '$userID'."
 
-echo "The following host key user ID will be revoked:"
-echo "  $userID"
-read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N}
-if [ ${OK/y/Y} != 'Y' ] ; then
-    failure "User ID not revoked."
+if [ "$PROMPT" = "true" ] ; then
+    echo "The following host key user ID will be revoked:"
+    echo "  $userID"
+    read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N}
+    if [ ${OK/y/Y} != 'Y' ] ; then
+	failure "User ID not revoked."
+    fi
+else
+    log debug "revoking user ID without prompting."
 fi
 
 # edit-key script command to revoke user ID
@@ -65,6 +69,8 @@ EOF
 # execute edit-key script
 if echo "$revuidCommand" | gpg_host_edit ; then
 
+    update_gpg_pub_file
+
     show_key
 
     echo
diff --git a/src/share/mh/set_expire b/src/share/mh/set_expire
index 653149f..14d2501 100644
--- a/src/share/mh/set_expire
+++ b/src/share/mh/set_expire
@@ -21,11 +21,25 @@ local extendTo
 # get the new expiration date
 extendTo=$(get_gpg_expiration "$1")
 
+if [ "$PROMPT" = "true" ] ; then
+    read -p "Are you sure you want to change the expiration on the host key to '$extendTo'? (y/N) " OK; OK=${OK:-N}
+    if [ "${OK/y/Y}" != 'Y' ] ; then
+	failure "expiration not set."
+    fi
+else
+    log debug "extending without prompting."
+fi
+
+log info "setting host key expiration to ${extendTo}:"
+
+log debug "executing host expire script..."
 gpg_host_edit expire <<EOF
 $extendTo
 save
 EOF
 
+update_gpg_pub_file
+
 cat <<EOF | log info
 NOTE: Host key expiration date adjusted, but not yet published.
 Run '$PGRM publish-key' to publish the new expiration date.
diff --git a/src/transition_0.22_0.23 b/src/transition_0.22_0.23
new file mode 100755
index 0000000..3328e8c
--- /dev/null
+++ b/src/transition_0.22_0.23
@@ -0,0 +1,69 @@
+#!/bin/bash
+
+# This is a post-install script for monkeysphere, to transition an old
+# (<=0.22) setup to the new (>0.22) setup
+
+SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
+
+MADATADIR="${SYSDATADIR}/authentication"
+MHDATADIR="${SYSDATADIR}/host"
+
+############################################################
+### transfer host setup
+
+if [ -d "$SYSDATADIR"/gnupg-host ] ; then
+
+    if [ -s "$SYSDATADIR"/ssh_host_rsa_key ] ; then
+
+	# This would be simple, but it would generate a new pgp key,
+	#and we don't want that, right?
+	#monkeysphere-host expert import_key "$SYSDATADIR"/ssh_host_rsa_key
+
+	# create host home
+	mkdir -p "${MHDATADIR}"
+	mkdir -p "${MHTMPDIR}"
+	mkdir -p "${GNUPGHOME_HOST}"
+	chmod 700 "${GNUPGHOME_HOST}"
+
+	# transfer the host secret key from the old home to the new
+	GNUPGHOME="$SYSDATADIR"/gnupg-host gpg --export-secret-keys \
+	    GNUPGHOME="$MHDATADIR" gpg --import
+
+	# make sure the ssh_host_rsa_key.pub and ssh_host_rsa_key.pub.gpg
+	# files exist
+
+	# anything else?
+
+    fi
+
+    #rm -rf "$SYSDATADIR"/gnupg-host
+
+fi
+
+############################################################
+### transfer authentication setup
+
+# should we test for something else/better than the existence of this
+# directory to know that we should go through the setup?
+if [ -d "$SYSDATADIR"/gnupg-authentication ] ; then
+
+    # run the authentication setup
+    monkeysphere-authentication setup
+
+    # transfer certifiers
+    # FIXME: how?
+    # i think we'll need to run something like
+    # gpg_core_sphere_sig_transfer after transfering certifiers ltsigs
+
+    # do we need to do some sort of transfer of ownertrust?
+
+    # move the authorized_keys directory
+    mv "$SYSDATADIR"/authorized_keys "$MADATADIR"/
+
+    # do we need to transfer anything else?  running update-users will
+    # regenerate everything else in the sphere keyring, right?
+
+    #rm -rf "$SYSDATADIR"/gnupg-authentication
+
+fi
+
diff --git a/tests/README b/tests/README
new file mode 100644
index 0000000..2bc981c
--- /dev/null
+++ b/tests/README
@@ -0,0 +1,31 @@
+Monkeysphere test infrastructure
+================================
+
+These are scripts to test various aspects of the Monkeysphere system.
+
+Some notes about getting started working on the monkeysphere test
+infrastructure:
+
+- the tests can and should be run as a non-privileged user.  since the
+  tests do potentially destructive things (like wiping out and
+  recreating gpg keyrings) they should definitely *not* be run as
+  root.  it may even be advisable to run them as a different,
+  dedicated user, so that any goofs you make while updating the test
+  infrastructure don't compromise your main account.
+
+- you do not need the monkeysphere package installed locally, though
+  you will need the monkeysphere dependencies installed locally.
+
+- the idea with this script is to do the following:
+
+  - set up test server infrastructure
+  - test the server setup
+  - set up test user
+  - test an ssh connection between test user and test server
+  - modify server/user setup and rerun ssh_test to make sure it
+    suceeds/fails as expected
+
+- there are various FIXMEs in the script that outline some of the
+  further testing that should be undertaken.
+
+- good documentation in the code in the form of comments are needed.
diff --git a/tests/basic b/tests/basic
index d9399f0..9114f32 100755
--- a/tests/basic
+++ b/tests/basic
@@ -90,7 +90,14 @@ trap failed_cleanup EXIT
 ## set up some variables to ensure that we're operating strictly in
 ## the tests, not system-wide:
 
-# make temp dir
+# set up temp dir
+
+# NOTE: /tmp can not be used as the temp dir here, since the
+# permissions on /tmp are usually such that they will not pass the
+# monkeysphere/ssh path permission checking.  If you need to use a
+# different location than the current source, please set $TMPDIR
+# somewhere with tighter permissions.
+
 mkdir -p "$TESTDIR"/tmp
 TEMPDIR=$(mktemp -d "${TMPDIR:-$TESTDIR/tmp}/monkeyspheretest.XXXXXXX")
 
@@ -121,10 +128,8 @@ export DISPLAY=monkeys
 
 # copy in admin and testuser home to tmp
 echo "##################################################"
-echo "### copying admin and testuser homes..."
-cp -a "$TESTDIR"/home/admin "$TEMPDIR"/
+echo "### configuring testuser home..."
 cp -a "$TESTDIR"/home/testuser "$TEMPDIR"/
-
 # set up environment for testuser
 export TESTHOME="$TEMPDIR"/testuser
 export GNUPGHOME="$TESTHOME"/.gnupg
@@ -141,6 +146,10 @@ KNOWN_HOSTS=$TESTHOME/.ssh/known_hosts
 EOF
 get_gpg_prng_arg >> "$GNUPGHOME"/gpg.conf
 
+echo "##################################################"
+echo "### configuring admin home..."
+cp -a "$TESTDIR"/home/admin "$TEMPDIR"/
+
 # set up sshd
 echo "##################################################"
 echo "### configuring sshd..."
@@ -155,34 +164,23 @@ EOF
 ######################################################################
 ### SERVER HOST SETUP
 
-# create a new host key
-echo "##################################################"
-echo "### testing host key generation..."
-mkdir -p -m 750 "$MONKEYSPHERE_SYSDATADIR"/host
-# add gpg.conf with quick-random
-get_gpg_prng_arg >> "$MONKEYSPHERE_SYSCONFIGDIR"/host/gpg.conf
-echo | monkeysphere-host expert gen-key --length 1024 testhost
-
-# remove the host home for the next test
-rm -rf "$MONKEYSPHERE_SYSCONFIGDIR"/host
-
 # import host key
 echo "##################################################"
-echo "### testing host key importing..."
+echo "### import host key..."
 ssh-keygen -b 1024 -t rsa -N '' -f "$TEMPDIR"/ssh_host_rsa_key
-monkeysphere-host expert import-key testhost < "$TEMPDIR"/ssh_host_rsa_key
+monkeysphere-host import-key testhost < "$TEMPDIR"/ssh_host_rsa_key
+
+echo "##################################################"
+echo "### getting host key fingerprint..."
+HOSTKEYID=$( monkeysphere-host show-key | grep '^OpenPGP fingerprint: ' | cut -f3 -d\  )
+echo "$HOSTKEYID"
 
 # change host key expiration
 echo "##################################################"
 echo "### setting host key expiration..."
 monkeysphere-host set-expire 1
-monkeysphere-host show-key
 # FIXME: how do we check that the expiration has really been set?
 
-echo "##################################################"
-echo "### getting host key fingerprint..."
-HOSTKEYID=$( monkeysphere-host show-key | grep '^OpenPGP fingerprint: ' | cut -f3 -d\  )
-
 # certify host key with the "Admin's Key".
 # (this would normally be done via keyservers)
 echo "##################################################"
@@ -214,10 +212,13 @@ get_gpg_prng_arg >> "$MONKEYSPHERE_SYSDATADIR"/authentication/sphere/gpg.conf
 # add admin as identity certifier for testhost
 echo "##################################################"
 echo "### adding admin as certifier..."
-echo y | monkeysphere-authentication add-id-certifier "$TEMPDIR"/admin/.gnupg/pubkey.gpg
+monkeysphere-authentication add-id-certifier -y "$TEMPDIR"/admin/.gnupg/pubkey.gpg
 
-# FIXME: should we run "diagnostics" here to test setup?
+echo "##################################################"
+echo "### list certifiers..."
+monkeysphere-authentication list-certifiers
 
+# FIXME: should we run "diagnostics" here to test setup?
 
 ######################################################################
 ### TESTUSER SETUP
@@ -235,12 +236,14 @@ gpgadmin --armor --export "$HOSTKEYID" | gpg --import
 # teach the "server" about the testuser's key
 echo "##################################################"
 echo "### export testuser key to server..."
-gpg --export testuser | monkeysphere-authentication expert gpg-cmd --import
+gpg --export testuser | monkeysphere-authentication gpg-cmd --import
 
 # update authorized_keys for user
 echo "##################################################"
 echo "### update server authorized_keys file for this testuser..."
 monkeysphere-authentication update-users $(whoami)
+# FIXME: this is maybe not failing properly for:
+# ms: improper group or other writability on path '/tmp'.
 
 
 ######################################################################
diff --git a/tests/common b/tests/common
index adc96a2..0f90500 100644
--- a/tests/common
+++ b/tests/common
@@ -3,7 +3,10 @@
 failed_cleanup() {
     # FIXME: can we be more verbose here?
     echo 'FAILED!'
-    read -p "press enter to cleanup and remove tmp:"
+    read -p "press enter to cleanup and remove tmp (or type bash for a subshell to examine): " XX
+    if [ "$XX" = bash ] ; then
+	bash
+    fi
 
     cleanup
 }
diff --git a/website/archive-key.mdwn b/website/archive-key.mdwn
index 6658469..eec40d5 100644
--- a/website/archive-key.mdwn
+++ b/website/archive-key.mdwn
@@ -37,7 +37,7 @@ If you have properly verified this key, you can add it to your apt
 keyring for proper cryptographic verification of the archive and its
 packages by doing the following:
 
-	 $ sudo gpg -a --export EB8AF314 | apt-key add -
+	 $ gpg -a --export EB8AF314 | sudo apt-key add -
 	 OK
 	 $ aptitude update
 	 ...